{
	"id": "873a04a4-b777-4535-8820-15a4af7a94ff",
	"created_at": "2026-04-06T00:12:12.883307Z",
	"updated_at": "2026-04-10T03:21:39.631413Z",
	"deleted_at": null,
	"sha1_hash": "6ead3384cfe5c5089d17813cc97bc98dd490794b",
	"title": "Monti Ransomware Unleashes a New Encryptor for Linux",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2575090,
	"plain_text": "Monti Ransomware Unleashes a New Encryptor for Linux\r\nBy Nathaniel Morales, Joshua Paul Ignacio ( words)\r\nPublished: 2023-08-14 · Archived: 2026-04-05 22:45:56 UTC\r\nRansomware\r\nThe Monti ransomware collective has restarted their operations, focusing on institutions in the legal and\r\ngovernmental fields. Simultaneously, a new variant of Monti, based on the Linux platform, has surfaced,\r\ndemonstrating notable differences from its previous Linux-based versions.\r\nBy: Nathaniel Morales, Joshua Paul Ignacio Aug 14, 2023 Read time: 5 min (1443 words)\r\nSave to Folio\r\nIntroduction\r\nThe Monti ransomware, which has both Windows and Linux-based variants, gained attention from cybersecurity\r\norganizations and researchers when it was first discovered in June 2022 because of its striking resemblance to the\r\ninfamous Conti ransom ware — not just in name but also the tactics that the threat actors used. The group,\r\noperating under the moniker \"Monti,\" has also deliberately emulated the widely recognized tactics, techniques,\r\nand procedures (TTPs) of the Conti team, incorporating a substantial number of their tools and even using Conti’s\r\nleaked source code. Since its discovery, the Monti group has been continuously targeting companies, exposing\r\nthem on their leak site.\r\nIndustry Count\r\nLegal 3\r\nFinancial services 2\r\nHealthcare 2\r\nOthers 6\r\nTable 1. The industries of the companies that appeared on the Monti ransomware leak site. Data is from March to August 2023.\r\nFollowing a two-month break from exposing victims on their leak site, the Monti ransomware group has resumed\r\nits malicious activities, this time targeting organizations within the legal and government sectors. Alongside this, a\r\nfresh Linux-based variant of Monti (Ransom.Linux.MONTI.THGOCBC) has emerged, displaying significant\r\ndeviations from its other Linux-based predecessors. Unlike the earlier variant, which is primarily based on the\r\nleaked Conti source code, this new version employs a different encryptor with additional distinct behaviors. As of\r\nwriting, only three security vendors that had the sample tagged it as malicious on VirusTotal\r\nhttps://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nPage 1 of 8\n\nComparing the new variant to the old one using BinDiff, we found that it only showed a similarity rate of 29% as\r\nopposed to the 99% similarity rate of the older variants and Conti.\r\nopen on a new tab\r\nFigure 1. Comparison of the old and new Monti variants using BinDiff\r\nopen on a new tab\r\nFigure 2. Comparison of the old Monti variant and Conti ransomware using Bindiff\r\nAnalysis\r\nThe new Linux variant accepts the following command line arguments, omitting some arguments from its older\r\nvariant and adding the --whitelist parameter. The following table shows the added parameters in bold text while\r\nthe removed parameters from the old variant are shown in italicized text.\r\nhttps://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nPage 2 of 8\n\nArgument Description\r\n--help Displays arguments usage\r\n--path \u003cstring\u003e Path to be encrypted\r\n--whitelist \u003cstring\u003e List of VMs to be skipped\r\n--vmkill Option to Kill virtual machine (VM)\r\n--detach Detach from terminal\r\n--size removed\r\n--log removed\r\n--vmlist removed\r\nTable 2. The command line arguments accepted by the new variant \r\nCompared to its predecessor, the current version also employs the -type=soft parameter to terminate virtual\r\nmachines on the system (as opposed to the --type=hard parameter). The shift to --type=soft suggests that the threat\r\nactors behind Monti may have chosen this approach to minimize the risk of immediate detection while carrying\r\nout their activities.\r\nopen on a new tab\r\nFigure 3. Code snippet showing the -type=soft parameter used to terminate virtual machines\r\nMonti’s developers also tampered with the /etc/motd and index.html files, replacing their contents with a ransom\r\nnote announcing that the server has been successfully infiltrated. Note that MOTD (or Message of the Day) is a\r\ntext message displayed when a user logs in to a Linux operating system.\r\nInfection marker\r\nOne of the additions of this new variant is that it appends the bytes “MONTI” followed by an additional 256 bytes\r\nthat is linked to the encryption key.\r\nBefore proceeding with its encryption routine, the ransomware will check specific conditions. First, it checks\r\nwhether the file size is 261 bytes or below, which corresponds to the size of the infection marker it appends after\r\nhttps://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nPage 3 of 8\n\nencryption. If this condition is met — indicating that the file is not encrypted given that its size is smaller than the\r\nappended infection marker —  the ransomware proceeds with the infection process.\r\nIf the initial condition is not met, Monti will then check the last 261 bytes of the file to verify the presence of the\r\nstring \"MONTI.\" If this string is detected, the file will be skipped, signifying that it has already been encrypted.\r\nHowever, if the string is not found, the malware will proceed with the encryption process for the file.\r\nopen on a new tab\r\nFigure 7. Code snippet to check for the presence of the “MONTI” string via the last 261 bytes of the\r\nfile to be encrypted\r\nChecking file sizes and Intermittent encryption\r\nBased on our analysis, the new ransomware variant employed AES-256-CTR encryption using evp_enc from the\r\nOpenSSL library instead of Salsa20, which is implemented by the old variant\r\nWe also discovered that the sample we analyzed employs various encryption methods for files. Unlike the\r\nprevious variant, which utilized a --size argument to determine the percentage of the file to be encrypted, this new\r\nvariant solely relies on the file size for its encryption process. In this section, we break down the different ways\r\nthat the Monti ransomware determines the size of the file to be encrypted.\r\n open on a new tab\r\nFigure 8. Function containing the initialization of Cipher value stored in v7\r\nhttps://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nPage 4 of 8\n\nopen on a new tab\r\nFigure 9. Function 40CC10 containing evp_enc.c from the OpenSSL library\r\nopen on a new tab\r\nFigure 11. Checking file size and determining the size to be encrypted\r\nThe sample will only encrypt the first 100,000 (0xFFFFF) bytes of the file and append its infection marker at the\r\nend of the file if the file size is larger than 1.048MB but smaller than 4.19MB.\r\nIf the file size exceeds 4.19MB, it employs a Shift Right operation to calculate the total size of the file to be\r\nencrypted (which depends on the actual file size). Meanwhile, files with a size smaller than 1.048MB will have all\r\ntheir content encrypted.\r\nhttps://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nPage 5 of 8\n\nopen on a new tab\r\nFigure 13. Encrypted file (left) vs original file (right). Using 0x635818(total size), Shift Right 2 is\r\nequivalent to 0x18D606 (bytes to be encrypted)\r\nAs with previous variants, the new version appends the .monti file extension to the encrypted files and drops its\r\nransom note readme.txt to every directory.\r\nopen on a new tab\r\nFigure 14. Appending the .monti suffix to encrypted files (top) and the ransom note\r\nhttps://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nPage 6 of 8\n\nWhile analyzing the samples, we discovered a decryption code that suggests the threat actor was testing its\r\nfunctionality. It seems that they forgot to remove this code when deploying the sample. However, the decryption\r\ncode is currently ineffective since it requires a private key known only to the malware author and has no\r\nconnection to the malware routine. Therefore, it will not be executed by the program.\r\nConclusion\r\nIt’s likely that the threat actors behind Monti still employed parts of the Conti source code as the base for the new\r\nvariant, as evidenced by some similar functions, but implemented significant changes to the code — especially to\r\nthe encryption algorithm.  Furthermore, by altering the code, Monti’s operators are enhancing its ability to evade\r\ndetection, making their malicious activities even more challenging to identify and mitigate.\r\nIt is advisable for organizations to adopt effective defense strategies that include protocols for safeguarding data\r\nand the establishment of procedures for backup and recovery to protect their systems from ransomware attacks.\r\nThese measures ensure the security of data and its potential restoration even in the event of encryption or deletion.\r\nWe suggest the subsequent security measures to protect important data:\r\nImplement multifactor authentication (MFA) to impede attackers from progressing horizontally within a\r\nnetwork and gaining access to sensitive data.\r\nAdhere to the 3-2-1 guideline when generating backups for crucial files. This guideline entails creating\r\nthree backup copies in two distinct file formats, with one copy stored at a separate location. This approach\r\nensures redundancy and minimizes the possibility of data loss.\r\nTrend Micro Solutions\r\nA multilayered approach to security can help organizations guard possible entry points into their system such as\r\nendpoints, emails, web, and networks. The following security technologies can detect malicious components and\r\nsuspicious behavior to help protect organizations from ransomware:\r\nTrend Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools early on before ransomware can do irreversible damage to the system.\r\nTrend Cloud One™ – Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nAdditional Insights by Byron Gelera and Bren Matthew Ebriega\r\nhttps://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nPage 7 of 8\n\nIndicators of Compromise\r\nSHA1 Detection\r\nf1c0054bc76e8753d4331a881cdf9156dd8b812a Ransom.Linux.MONTI.THGOCBC\r\na0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74ef Ransom.Linux.MONTI.THGADBC\r\nhxxp://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid[.]onion\r\nhxxp://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid[.]onion\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nhttps://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html"
	],
	"report_names": [
		"monti-ransomware-unleashes-a-new-encryptor-for-linux.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434332,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ead3384cfe5c5089d17813cc97bc98dd490794b.pdf",
		"text": "https://archive.orkl.eu/6ead3384cfe5c5089d17813cc97bc98dd490794b.txt",
		"img": "https://archive.orkl.eu/6ead3384cfe5c5089d17813cc97bc98dd490794b.jpg"
	}
}